Merge cedc2a94ecb3d2066eb6d72c353a02ee9b682917 into a2c41756a56eeb7c09a270700672a4154645cbc6

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>

.github/dependabot.yml

@@ -12,7 +12,7 @@ updates:
     schedule:
       interval: "weekly"
 
-  # Dependencies listed in Dockerfile.ovpn-admin
+  # Dependencies listed in Dockerfile
   - package-ecosystem: "docker"
     directory: "/"
     schedule:

.github/workflows/publish-tag.yaml

@@ -9,16 +9,14 @@ on:
     branches:
       - master
 
+env:
+  WERF_STAGED_DOCKERFILE_VERSION: v2
+  # WERF_BUILDAH_MODE: auto
+
 jobs:
   build:
     name: build images for tag
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-        - name: ovpn-admin
-        - name: openvpn
 
     steps:
       - name: Checkout code
@@ -26,40 +24,29 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Get the version
-        id: get_version
-        run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
+      - uses: werf/actions/install@v1.2
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Login into ghcr.io
+        shell: bash
+        run: werf cr login -u ${{ github.actor }} -p ${{ github.token }} ghcr.io/${{ github.repository }}
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3.3.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.DECKHOUSE_REGISTRY_USER }}
-          password: ${{ secrets.DECKHOUSE_REGISTRY_PASSWORD }}
-
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
-        id: meta
         uses: docker/metadata-action@v5.6.1
         with:
           images: ghcr.io/${{ github.repository }}/${{ matrix.name }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Push Image
-        uses: docker/build-push-action@v4
-        with:
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            TAG=${{ github.ref_name }}
-          platforms: linux/amd64,linux/arm64,linux/arm
-          file: ./Dockerfile.${{ matrix.name }}
+      - name: Build Image
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          source "$(werf ci-env github --as-file)"
+          source <(jq -r '.labels | to_entries | to_entries[] | "export WERF_EXPORT_ADD_LABEL_\(.key)=\"\(.value.key)=\(.value.value)\""' <<< $DOCKER_METADATA_OUTPUT_JSON)
+
+          werf build
+
+      - name: Build and Push Image
+        if: ${{ github.event_name != 'pull_request' }}
+        run: |
+          source "$(werf ci-env github --as-file)"
+          source <(jq -r '.labels | to_entries | to_entries[] | "export WERF_EXPORT_ADD_LABEL_\(.key)=\"\(.value.key)=\(.value.value)\""' <<< $DOCKER_METADATA_OUTPUT_JSON)
+
+          werf export --tag ghcr.io/${{ github.repository }}/%image%:${{ github.ref_name }}

certificates.go

@@ -8,7 +8,9 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"errors"
+	"fmt"
 	"math/big"
+	"strconv"
 	"time"
 )
 
@@ -60,7 +62,6 @@ func genPrivKey() (privKeyPEM *bytes.Buffer, err error) {
 		Bytes: privKeyPKCS8,
 	})
 
-
 	return
 }
 
@@ -133,6 +134,17 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 	serialNumberRange := new(big.Int).Lsh(big.NewInt(1), 128)
 	serial, err := rand.Int(rand.Reader, serialNumberRange)
 
+	certLifetimeDays, err := strconv.Atoi(*clientCertExpirationDays)
+	if err != nil {
+		return nil, fmt.Errorf("can't get client certificate expiration value: %w", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(time.Duration(certLifetimeDays) * 24 * time.Hour)
+	if notAfter.After(ca.NotAfter) {
+		notAfter = ca.NotAfter
+	}
+
 	template := x509.Certificate{
 		BasicConstraintsValid: true,
 		DNSNames:              []string{cn},
@@ -142,8 +154,8 @@ func genClientCert(privKey, caPrivKey *rsa.PrivateKey, ca *x509.Certificate, cn
 		},
 		KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 		ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
-		NotBefore:   time.Now(),
-		NotAfter:    ca.NotAfter,
+		NotBefore:   notBefore,
+		NotAfter:    notAfter,
 	}
 
 	issuerBytes, err := x509.CreateCertificate(rand.Reader, &template, ca, &privKey.PublicKey, caPrivKey)

main.go

@@ -76,6 +76,7 @@ var (
 	logLevel                 = kingpin.Flag("log.level", "set log level: trace, debug, info, warn, error (default info)").Default("info").Envar("LOG_LEVEL").String()
 	logFormat                = kingpin.Flag("log.format", "set log format: text, json (default text)").Default("text").Envar("LOG_FORMAT").String()
 	storageBackend           = kingpin.Flag("storage.backend", "storage backend: filesystem, kubernetes.secrets (default filesystem)").Default("filesystem").Envar("STORAGE_BACKEND").String()
+	clientCertExpirationDays = kingpin.Flag("client-cert.expiration-days", "Expiration period of OpenVPN client certificates in days, the period will shrink automatically to the CA expiration period").Default("3650").Envar("CLIENT_CERT_EXPIRATION_DAYS").String()
 
 	certsArchivePath = "/tmp/" + certsArchiveFileName
 	ccdArchivePath   = "/tmp/" + ccdArchiveFileName